FAQ: What you need to know about CISPA (Update: bill passes House)

The U.S. House of Representatives passed a major cyber-security bill that would change how companies like Facebook can share personal information. Privacy advocates are in uproar and the Obama Administration is threatening a veto. What’s going on?

UPDATE: The vote was originally scheduled for Friday but took place Thursday evening instead. It passed 248 to 168 on largely partisan lines. (Read our account here)

Here’s a plain English guide to the polices and politics driving the Cyber Intelligence Sharing and Protection Act:

So is this SOPA all over again?

Not really. The ill-fated Stop Online Piracy Act was about Hollywood trying to force tech companies to become copyright cops. CISPA, on its face, is about giving those same companies tools to confront cyber-attacks.

Isn’t that the same thing?

Critics said that an earlier version of CISPA was a stalking horse for the copyright industry — they worried that companies would dress up anti-piracy initiatives as security complaints. New language makes this unlikely and emphasizes that the bill is indeed about cyber-security.

Well, what cyber-security concerns are we talking about?

Major U.S. companies and government agencies have suffered hacking attacks in which intruders have stolen classified files, trade secrets or source code. The attackers include criminal gangs and state-sponsored (read: China) cyber espionage teams. Security experts warn that cyber-attacks lead to economic loss for companies and military vulnerabilities for the country.

Sounds scary. What does CISPA do to address this?

One of the bill’s main goals is to improve the sharing of information between companies and the government. In theory, it will be easier for the government to warn companies about security threats. In turn, the companies will have more ability to alert the government about suspicious activities or attacks.

So why do we need a law new for this?

CISPA wants to update existing laws like the National Security Act of 1947 to require authorities to share information about cyber-attacks as well as conventional military threats. There are also laws like the Wiretap Act and the Electronic Communications Privacy Act that limit what private companies can do with information about their customers. CISPA would help companies avoid getting sued under those laws when they share information about cyber-security.

Sounds reasonable. Everyone’s got to do their part to prevent a cyber-attack, right?

The problem, as you may have guessed, is that CISPA may be a lot broader than what is needed to get the job done. Critics worry that companies will be cavalier about passing data around if they don’t have to fear privacy lawsuits. Companies like Facebook, Amazon, Google and Netflix (many of which are supporting CISPA) are facing dozens of privacy-related lawsuits — CISPA might be a way to sidestep some of these in the future. Also, the government could invoke CISPA as a pretext to override civil liberties. From this perspective, CISPA is not so much SOPA but instead a new form of the Patriot Act.

Uh, oh. Is the law actually going to pass?

The bill passed the House amidst Democratic grumbling. Politico reports that Sen. Joe Lieberman expects a Senate version will see floor time as soon as next month. This does not, of course, mean that the bill will become law anytime soon — the approach of the November election is likely to put Congress into its semi-annual state of paralysis. Also, there are competing bills from the White House and also from people like Lieberman who want stronger measures to protect infrastructure like dams and utilities.

What about the veto threat?

The White House issued a strong statement on Wednesdays that attacked CISPA for trampling privacy and civil liberties. It said the bill should include a provision obliging the government and companies to minimize the amount of personal data that passes between them. The statement stressed the “civilian nature of cyberspace” and warns of a veto. But veteran political types noted the veto threat contains a hedge — it says advisers would recommend a veto, not that the President will veto it.

Where can I learn more about all this?

The Electronic Frontier Foundation has its usual top-rate privacy analysis here. CNET’s Declan McCullagh has a worthy overview of the lobbying forces here and GigaOM’s Derrick Harris has a cool-headed look at the bill here. And the non-partisan Congressional Research Service has the bill and a summary here.